Notes from Troy Hunt's Hack Yourself First Workshop

Troy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.

Highlights – resources

Personal security and privacy

• https://www.entropay.com/ – a Prepaid Virtual Visa Card
• mailinator.com – tmp email
• f-secure VPN
• https://www.netsparker.com/ – scan a site for issues (insecure cookies, framework disclosure, SQL injection, …) (lot of $k)

Site security

• https://report-uri.io/ – get reports when CSP rules violated; also displays CSP headers for a site in a human-friendly way
• https://securityheaders.io/ check quality of headers wrt security
• free SSL – http://www.startssl.com/, https://www.cloudflare.com/ (also provides web app firewall and other protections) ; 
• SSL quality check: https://www.ssllabs.com/ssltest/ 
• https://letsencrypt.org/ – free, automated, open Certificate Authority (Linux Found., Mozilla)

Breaches etc.

• http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/
• https://twitter.com/jmgosney – one of ppl behind http://passwordscon.org . http://password-hashing.net  experts panel. Team Hashcat. 
• http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

To follow

• ! http://krebsonsecurity.com/
• ! http://www.troyhunt.com/
• ! https://www.schneier.com/
• ! https://twitter.com/mikko (of F-Secure) also great [TED] talks
• kevin mitnick (jailed for hacking; twitter, books)

Books

• http://www.amazon.com/We-Are-Anonymous-LulzSec-Insurgency/dp/0316213527 – easy read, hard to put down
• http://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/dp/1441793755 – about Mitnick’s hacking, social engineering, living on the run
• ? http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Deceivers/dp/0471782661/
• Mitnick: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ – social engineering

Other

• https://www.xssposed.org/
• See https://www.drupal.org/SA-CORE-2014-005
• https://www.youtube.com/watch?v=Qvhdz8yE_po – Havij example
• http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html, http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html, http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html, 
• Googlee: find config files with SA access info: `inurl:ftp inurl:web.config filetype:config sa`
• https://scotthelme.co.uk/hardening-your-http-response-headers/ and https://securityheaders.io/
• https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning – prevent MITM
• wappalyzer chrome plugin displaying info about the server and client that can be detected (jQuery, NewRelic, IIS, win OS, …)
• http://www.troyhunt.com/2015/05/do-you-really-want-bank-grade-security.html
• http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
• tool: https://github.com/gentilkiwi/mimikatz extract plaintexts passwords, hash, PIN code and kerberos tickets from memory on Windows

Notes

• HackYourselfFirst.troyhunt.com – an example app with many vulnerabilities
• Note: maximizing your browser window will share info about your screen size, which might help to identify you
• haveibeenpwned.com – Troy’s online DB  of hacked accounts

Tips

• check robots.txt to know what to access

Example Issues

• no https on login page
• insecure psw requirements
• cookies not secure flag => sent over http incl. AuthCookie)
• psw sent in clear text in confirm email
• user enumeration, f.eks. an issue with AdultFriendFinder – entry someone’s email to login to find out whether they’ve an account
• post illegal chars, get them displayed => injection
• no anti-automation (captcha)
  • login confirm. email & autom. creating 1m accounts => sending 1m emails => pisses ppl off, likely increase one’s spam reputation (=> harder to send emails)
• brute-force protection?

### XSS

Reflected XSS: display unescaped user input

• Encoding context: HTML, JS, CSS … have diff. escape sequences for the same char (e.g. <) – look at where they’re mixed
• Check the encoding consistency – manual encoding, omitting some chars
• JS => load ext resources, access cookies, manipulate the DOM

Task: stal authCookie via search

### SQL injection

Error-based injection: when the DB helps us by telling us what is wrong -> use ti learn more and even show some data

Ex.: http://hackyourselffirst.troyhunt.com/Make/10?orderby=supercarid <—— supercarid is a column name

• orderby=(select * from userprofile) …
• learn about DB sructure, force an exception that shows the valueex.: (select top 1 cast(password) as int from userprofile) => “Conversion failed for the nvar value ‘passw0rd …’”

Tips

• think of SQL commands that disclose structure: sys.(tables,columns), system commands
• enumerate records: nest queries: select top X ows asc then top 1 rows from that desc
• write out how you think the query works / is being constructed internally 
• cast things to invalid types to disclose values in err msgs (or implicit cast due to -1 ..)

#### Defenses

• whitelist input data types (id=123 => onlyallow ints)
• enumerable values – check against an appropr. whitelist
• if the value is stored – who uses it, how? making query/insertion safe
• permissions: give read-only permissions as much as possible; don’t use admin user from your webapp

### Mobile apps

• Look at HTTP req for sensitive data – creds, account, …
• Apps may ignore certificate validations
• In your app: param tampering, auth bypass, direct object refs
• Weak  often: airlines, small scale shops, fast foods, …

Tips

• certificate pining – the app has the fingerprint of the server cert. hardcoded and doesn’t trust even “valid” MITM certificate (banks, dropbox, …)x

### CSRF Cross-Site Request Forgery

= make the user send a request => their auth cookie included

• async Ajax req to another site forbidden but that doesn’t apply to normal post

Protection

• anti-forgery tags

### Understanding fwrk disclosure

• http://www.shodanhq.com/ -> search for “drupal 7” -> pwn

• How disclosed:

• headers
•  familiar signs – jsessionid cookie for java, …
• The default error and 404 responses may help to recognize the fwr
• HTML code (reactid), “.do” for Sttruts
• implicit: order of headers (Apache x IIS), paths (capitalized?), response to improper HTTP version/protocol, 
  • => likely still possible to figure out the stack but not possible to simple search for fwrk+version

### Session hijacking

Steal authentication cookie => use for illegal requests.

• Persistence over HTTP of auth., session: cookie, URL (but URL insecure – can be shared)
• Session/auth ID retrieval: insecure transport, referrer, stored in exceptions, XSS
• Factors limiting hijacking: short duration expiry, keyed to client device / IP (but IPs may rotate, esp, on mobile devices => be very cautious)

DAY 2

——–

### Cracking passwords

Password hashing: 

• salt: so that 2 ppl choosing the same psw will have a different hash => cracking is # salts * # passwords inst. of just N
• has cracking tips:
  • character space
  • Dictionary: passw0rd, …
  • Mutations: manipulation and subst. of characters

Tips:

• 1Password , LastPass, ….
• GPU ~ 100* faster than CPU

#### Ex: Crack with hashcat

common psw dict + md5-hashed passwords => crack

./hashcat-cli64.bin –hash-type=0 StratforHashes.txt hashkiller.com.dic # 23M psw dict -> Recovered.: 44 326/860 160 hashes [obs duplications] in 4 min (speed 135.35k plains)

Q: What dictionary we use? Do we apply any mutations to it?

### Account enumeration

• = Does XY have an account?
• Multiple vectors (psw reset, register a new user with the same e-mail, …)
• Anti-automation: is there any? It may be inconsistent across vectors
• Does it matter? (<> privacy needs)
• How to “ask” the site and how to identify + and – responses?
• Timing attacks: distinguish positive x negative response based on the latency differing between the two

### HTTPS

Confidentiality, Integrity, Authenticity

Traffic hijacking: [a href="https://www.wifipineapple.com/"]https://www.wifipineapple.com/ – wifi hotspot with evil capabilities

• monitor probe requests (the phone looks for networks it knows), present yourself as one of those, the phone connects autom. (if no encryption)

• Consider everything sent over HTTP to be compromised
• Look at HTTPS content embedded in untrusted pages (iframes, links) – e.g. payment page embedded in http

Links

• HSTS Preload – tell Chrome, FF that your site should only be ever loaded over HTTPS – https://hstspreload.appspot.com/
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security header

### Content Scurity Policy header

https://developer.chrome.com/extensions/contentSecurityPolicy See e.g. https://haveibeenpwned.com/ headers

w/o CSP

• anything can be added to the page via a reflected XSS risk
• Anyth, can be added to the DOM downstream (on a proxy)

With CSP the browser will only load resources you white-list; any violations can be reported

Use e.g. https://report-uri.io/home/generate to create it and the report to watch for violations to fine tune it.

### SQL injection cont’d

(Yesterday: Error-Based)

#### Union Based SQLi

Modify the query to union whatever other data and show them. More data faster than error-based inj.

Ex.: http://hackyourselffirst.troyhunt.com/CarsByCylinders?Cylinders=V12 :  V12 -> `V12′ union select voteid, comments collate SQL_Latin1_General_CP1_CI_AS from vote– `

#### Blind Boolean (laborious)

Blind inj.: We can’t always rely on data being explicitly returned to the UI => ask a question, draw a conclusion about the data.

Ex: 

http://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=PowerKw&asc=false -> 

ordedby => case when (select count(*) from userprofile) > 1 then powerkw else topspeedkm end

Extract email: Is ascii of the lowercase char #1 < ascii of m ?

Automation: SqlMap

#### Time based blind injection

When no useful output returned but yes/no responses differ significantly in how much time they take. F.ex. ask the db to delay the OK response.

MS SQL: IF ‘b’ > ‘a’ WAITFOR DELAY ’00:00:05′

### Brute force attacks

• Are there any defences? Often not
• How are defences impl?
  • block the req resources
  • block the src IP
  • rate limit (by src IP)

### Automation

• penetration testing apps and services such as Netsparker, WhiteHatSec
• targets identification: shodan, googledorks, randowm crawling
• think aout the actions that adhere to a pattern – sql injection, fuzzing (repeat a req. trying diff. values for fields – SQLi, …), directory enumeration
• automation can be used for good – test your site
• tip: have autom. penetration testing (and perhaps static code analysis) as a part fo your build pipeline

Task: Get DB schema using sqlmap (see python2.7 sqlmap.py –help)

### Protection

Intrusion Detection System (IDS) – e.g. Snort

Web Application Firewall (WAF) – e.g. CloudFare ($20/m)